Residential proxy detection

A residential proxy routes an attacker's traffic through a real consumer IP address: someone's home Comcast connection, someone's phone on Vodafone. To every IP-based check, the request looks like the person who lives there. Residential proxies exist precisely because datacenter detection works, and by 2026 they are standard equipment for serious scraping, credential stuffing, and multi-accounting operations. Catching them means accepting an uncomfortable fact up front: the IP is real, the reputation list will always be behind, and the durable evidence lives in the device and the operation rather than the address.

This is the harder sibling of datacenter proxy detection. Read that first if you have not, because everything here assumes the ASN layer is already in place.

What a residential proxy actually is

A residential proxy network is a marketplace. On one side are millions of consumer devices acting as exit nodes; on the other, customers paying to route traffic through them. The major commercial networks (Bright Data, Oxylabs, SmartProxy, IPRoyal, NetNut and a long tail) advertise pools from tens to hundreds of millions of IPs across nearly every country, priced per gigabyte at roughly $1 to $15/GB in 2026 depending on quality and rotation control.

Where the exits come from matters for detection:

SDK monetization. Free apps, often VPNs, games, and utilities, embed a proxy SDK and sell their users’ idle bandwidth. The user “agreed” somewhere in a terms-of-service scroll. This is the bulk of commercial supply.
Opt-in bandwidth sharing. Honeygain-style apps that pay users directly for exit capacity. Smaller, but genuinely consented.
ISP and reseller deals. Blocks of residentially-registered IPs assigned to proxy infrastructure, sold as “ISP proxies.” Static, fast, and the closest thing to a detectable middle ground, since the IPs are residential on paper but datacenter in behavior.
Malware. Botnets selling exit capacity through the same kind of marketplace. The 911 S5 network, dismantled in a 2024 multi-country operation, had infected machines at more than 19 million unique IP addresses and was tied by the U.S. Justice Department to $5.9 billion in fraudulent pandemic-relief claims routed through those exits alone; its operator was arrested and sanctioned by the U.S. Treasury (U.S. DOJ, U.S. Treasury). Operations like it continue under other names.

The scale is not just marketing. An academic infiltration study that mapped one major network from the inside enumerated more than 6.4 million distinct residential proxy IPs spread across over 230 countries and 52,000 ISPs (Mi et al., Resident Evil, IEEE S&P 2019), and later measurement work has tracked how that traffic looks on the wire.

Two things follow from this supply chain. The IPs are real, so the ASN check that anchors datacenter detection returns “Comcast, consumer ISP” and is telling the truth. And the IPs are shared and transient: the attacker holds any given exit for seconds to minutes, while the household keeps using it before, during, and after.

Why IP reputation cannot carry the load

The instinctive fix is a better list: feeds from providers like Spur and IPinfo that flag IPs observed acting as proxy exits. These feeds are genuinely useful and belong in the stack. They are also structurally incapable of being the whole answer:

The pool outruns the list. Networks rotate exits continuously across pools of millions, and a meaningful fraction of exits at any moment have never been observed before. Coverage is always partial and always stale at the margin.
The flag outlives the abuse. An IP that exited proxy traffic on Tuesday is a family’s only IP on Wednesday. Acting on a stale flag blocks the household, not the attacker who has long since rotated away.
CGNAT multiplies the collateral. Mobile carriers and some ISPs put thousands of simultaneous users behind one address. A proxy exit behind carrier-grade NAT shares its IP with a crowd of legitimate users at the same moment, so per-IP enforcement is not just leaky but actively harmful. The false-positive cost lands on real customers.

This is the constraint that shapes everything else. Against residential proxies, the IP can contribute suspicion, but it can never carry enforcement. Decisions have to attach to the device and the operator instead.

The signals that work

Four layers, in rough order of cost.

1. The proxy hop has physics

Routing through a residential exit adds a detour the attacker cannot remove. The request travels attacker → proxy network → exit device → your origin, and the round-trip timing shows it: inflated latency relative to the IP’s geography, high RTT variance as exits rotate, and TCP-level timing inconsistent with the claimed last-mile connection. A session “from” a Dallas cable modem whose TCP handshake behaves like a transcontinental relay is carrying a detour.

The exit’s network stack leaks too. Many “residential” exits are actually proxy software on a Linux node holding a residentially-registered IP, so the TCP options, window scaling, and TTL patterns of the SYN do not match the Windows or iOS device the session claims to be. The TLS fingerprint of the actual client, meaning the attacker’s automation stack tunneled through the exit, must still agree with the claimed browser as well. These are the same cross-checks from browser fingerprinting techniques, applied at the network layer.

2. The claimed user is incoherent

The attacker controls their automation; they rent the IP blind. The two rarely agree:

Time zone vs geography. The browser reports Europe/Kyiv; the exit is in Phoenix. One contradiction, high precision.
Language vs geography. Accept-Language: ru-RU from a rotating set of US suburban ISPs, session after session.
Teleportation. The same device fingerprint appears from Houston, then Newark, then Lyon within an hour. Real devices move at the speed of airplanes, not rotation schedules. This check turns rotation, the attacker’s main strength, into the detection signal itself.

3. The device persists while the IP rotates

Here is the structural counter. The proxy changes the address, but it does not change the device fingerprint, the automation artifacts (headless browser detection applies in full, since most resi-proxied traffic is headless), or the behavioral channel. A device identity that holds stable across fifty IPs in an afternoon is itself the finding: real users do not do that, and the attacker cannot prevent it without solving the much harder problem of defeating device intelligence, which is the territory of anti-detect browsers.

4. The operation clusters

Above single sessions, the campaign has a shape. Exits drawn from one proxy provider have a recognizable distribution; the operator’s working hours persist in request timing regardless of exit geography; workload, navigation style, and target endpoints repeat across “unrelated” sessions. Sessions that share no IP and no cookie but cluster on these features are one operation wearing many addresses. Policy applied at the cluster level (throttle the operation, not the IP) avoids the household entirely.

The bandwidth bill shapes behavior

Residential bandwidth is metered at dollars per gigabyte, and that cost leaks into how the automation behaves. A real browser loading your page pulls the HTML and then dozens of sub-resources: scripts, stylesheets, fonts, images, trackers, often a megabyte or more per view. An operator paying per gigabyte cannot afford that at scale. Resi-proxied scrapers therefore tend to fetch only the HTML or the single JSON endpoint they want, skip images and fonts entirely, reuse connections aggressively, and lean on conditional requests so they do not re-download bytes that have not changed.

The result is a session that claims to be a browser but never asks for the things a browser always asks for. A product or login page fetched from a residential IP with no accompanying CSS, font, or image requests is a strong signal regardless of how clean the fingerprint is. This is the metered-bandwidth counterpart to behavioral absence: the cost structure forces the bot to act unlike the human it imitates, and the asset-request pattern is hard to fake without paying for the very bandwidth the operator is trying to save.

Mobile proxies are the hardest case

The premium tier of the market is mobile: real SIMs in 4G and 5G modems, sometimes racks of physical phones, sometimes SIM-bank hardware. They are the hardest exits to act on, for the same reasons mobile carrier traffic is hard in general. Carrier-grade NAT puts thousands of real subscribers behind each public IP, so a mobile-proxy exit shares its address with a crowd of genuine users, and the reputation of a mobile range is close to worthless because blocking it blocks paying customers. Operators rotate these exits by toggling the radio, which hands out a fresh carrier IP on reconnect, so one physical modem cycles through a carrier’s whole pool without changing anything else.

The IP layer offers almost nothing here, which makes the device and cluster layers the entire defense. A mobile-proxy operation still runs its automation on a host that is not the phone it routes through, so the device fingerprint, the headless and automation artifacts, and the behavioral channel stay visible and stay stable across every IP the radio cycles through. The cluster signature is what ties the rotations back together. Everything in this article that keys on the operator rather than the address applies with more force when the address is a mobile one, not less.

Policy: act on the operator, not the address

What this looks like in practice:

Score, never gate, on IP evidence alone. A resi-proxy flag or latency anomaly raises the score; it does not block by itself.
Enforce on device and cluster identity. Block or throttle the device cluster running the operation. The household’s other traffic, coming from different devices with coherent behavior, never matches the cluster and never feels the enforcement.
Throttle and degrade rather than reveal. For scraping and price scraping traffic on residential exits, serving cached or degraded data quietly beats a hard block that teaches the operator which sessions burned.
Treat ISP proxies as their own category. Static residential-registered ranges with datacenter behavior are listable and stable, closer to datacenter policy than to true rotating residential.

import { Foil } from "@abxy/foil-server";

const client = new Foil({ secretKey: process.env.FOIL_SECRET_KEY });
const session = await client.sessions.get(sessionId);

// IP says consumer ISP; everything else disagrees
if (
  session.network.anonymity.residential_proxy &&
  session.network.location.timezone !== clientReportedTimezone
) {
  return throttleAndLog(req, res); // suspicion: raise cost, keep watching
}

// the durable identity, not the address
if (session.visitor_fingerprint) {
  const history = await client.fingerprints.get(session.visitor_fingerprint.id);
  if (isRepeatOffender(history)) {
    return blockOrChallenge(req, res); // enforcement attaches to the operation
  }
}

How Foil supports it

Foil classifies the network path in session.network.anonymity from the timing, stack, and reputation evidence: residential_proxy flags rotating residential exits, hosting flags datacenter paths, and static ISP-proxy ranges show up through those flags combined with the ASN in network.routing. More importantly, it keeps device identity stable underneath the rotation. The session carries both: the per-session network evidence with its cross-check failures, and the visitor fingerprint (visitor_fingerprint.id) that ties the session to the operation across every exit it rents. Enforcement keyed to the visitor fingerprint is what makes residential proxies an expense for the attacker instead of an escape hatch.

For the wider picture, datacenter proxy detection covers the layer below this one, bot detection covers the signal stack as a whole, and credential stuffing and fake account prevention cover the abuse cases where residential proxies show up first.